xorist | bf546fd45bf5b341a89f60a6b62b02fe2ff9020e1ebf36d5fdc2bbf90a817fc6

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe
Size

236KB
MD5

332fc75edd44b84a3442e6f97076f55f
SHA1

09ec6163d085cd3d9c901d5f9ee9f72755179bbe
SHA256

bf546fd45bf5b341a89f60a6b62b02fe2ff9020e1ebf36d5fdc2bbf90a817fc6
SHA512

e0ead631e79839af59fac1b2a3899dfcf0b74dca875688770bb936088e78ca634919806f1f36df7b6b219fcb93b5e30c4471e16fe9c2b997e856b268eea55557
SSDEEP

768:d8fqgktemXxS6Wv8Xw0XYSoBPkwdtzZP6VBV:skYm9/RYSoegV

Score

10^/10

xorist defense_evasion discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1084-15-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1084-8793-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1084-8796-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1084-9064-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1084-9065-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1084-9066-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

kod.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	kod.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1316	cmd.exe

Drops startup file 1 IoCs

Processes:

kod.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe

Executes dropped EXE 1 IoCs

Processes:

kod.exe

pid	Process
1084	kod.exe

Loads dropped DLL 2 IoCs

Processes:

332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe

pid	Process
2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe
2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kod.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe"	kod.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

Processes:

kod.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scripts.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Switch.help.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_neutral_fadec14b0a37b637\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pipelines.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_trap.help.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\migwiz\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudss.inf_amd64_neutral_330a593eb888237c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\faxcn001.inf_amd64_neutral_d23021a1eb548156\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkBridge\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\wbem\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_neutral_1a5c861fdb3aab0e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\XPSViewer\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\zh-CN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_arrays.help.txt	kod.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bda.inf_amd64_neutral_41c6262952846788\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_neutral_8b1e6b55729c3283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\MUI\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr005.inf_amd64_neutral_e14a0514f37611d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0009\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_CommonParameters.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_debuggers.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_ISE.help.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc3.inf_amd64_neutral_1da6abc36a79974f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-WMI-Core\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_execution_policies.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_hash_tables.help.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc4.inf_amd64_neutral_310871d800afa82a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_cmdletbindingattribute.help.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hcw72b64.inf_amd64_neutral_023772237d3a4ade\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_profiles.help.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\about_BITS_Cmdlets.help.txt	kod.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0007000000017409-3.dat	upx
behavioral1/memory/2336-4-0x0000000002580000-0x000000000258C000-memory.dmp	upx
behavioral1/memory/1084-15-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1084-8793-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1084-8796-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1084-9064-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1084-9065-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1084-9066-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

kod.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	kod.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099194.GIF	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	kod.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	kod.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	kod.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	kod.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	kod.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif	kod.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html	kod.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\LASER.WAV	kod.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	kod.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF	kod.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	kod.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png	kod.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF	kod.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png	kod.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	kod.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF	kod.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg	kod.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif	kod.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png	kod.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	kod.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	kod.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk	kod.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png	kod.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	kod.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF	kod.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF	kod.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV	kod.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	kod.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	kod.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	kod.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe

Drops file in Windows directory 64 IoCs

Processes:

kod.exe

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_de-de_772af58d442606dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ntrolsadminoverride_31bf3856ad364e35_6.1.7600.16385_none_9e0f617f287893f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5dfa0d6aae0352fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-speechengine.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_477cb893f4cdb3d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-devicemetadataparsers_31bf3856ad364e35_6.1.7600.16385_none_22e80705d605ae66\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\msil_system.web.entity.design.resources_b77a5c561934e089_6.1.7600.16385_it-it_f925620240523017\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a479cd0719d5814b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8afb6612219902de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_518cae4ae00ff68c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artcon5.resources_31bf3856ad364e35_6.1.7600.16385_it-it_30dd33f8e7823b5b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_arrays.help.txt	kod.exe
File created	C:\Windows\winsxs\amd64_prnep002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_11ad1328609df59e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_providers.help.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..-statusui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e6717572d615516f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.file_srv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d89a23c740117ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Windows_PowerShell_ISE.help.txt	kod.exe
File created	C:\Windows\inf\.NET CLR Data\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-audio-dsound.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b7babad777271867\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-notepad.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a8ab11efa5f12597\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sidebar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_922fed2783be58c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_cba169dd0daf0482\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68750ba1329f3c6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7a0f362f3bc73d13\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752d0cbaec4d2602\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3587445d017f747d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_mf.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a97119d065e0832c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-audio-mmecore-acm_31bf3856ad364e35_6.1.7600.16385_none_3cda7ac5faba7582\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-photosamples.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e21c565bbeaf3080\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..lelevated.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2a0a13fbc301d180\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-directx-direct3d9_31bf3856ad364e35_6.1.7601.17514_none_207372147765c03a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_moon-waning-gibbous_partly-cloudy.png	kod.exe
File created	C:\Windows\winsxs\amd64_prnbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fb80a335d3ed8040\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote_FAQ.help.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_e6fcbd244bb7bf74\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-speechengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a557398701b2a1fd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dfs-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4370608a2e5481d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..framework.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c91ca004ad89a3ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e87a094cae9b1ea5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Information Bar.wav	kod.exe
File created	C:\Windows\winsxs\msil_system.data.linq_b77a5c561934e089_6.1.7601.17514_none_b58e250edafa4a30\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-charmap.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_89981d704c19f8e5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_c81348afa0c88995\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\performance.png	kod.exe
File created	C:\Windows\winsxs\amd64_server-help-h1s.itprobasic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_45b44e8617793380\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\shuffle_up.png	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.17514_none_61fc33a326c6a0f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-udfs_31bf3856ad364e35_6.1.7601.17514_none_049f9db233833b25\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.eventviewer_lh.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ae1025f3324a51b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\assembly\GAC_MSIL\ReachFramework.resources\3.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..rendering.resources_31bf3856ad364e35_8.0.7600.16385_es-es_83630149944716be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f93ee61c3bf31686\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\bf808b9c0c44745fc6bf261c44003c7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mfds_31bf3856ad364e35_6.1.7601.17514_none_03b45f76341c9aa1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft.mediacenter.itv.media_31bf3856ad364e35_6.1.7601.17514_none_d1ce91acb3723e8a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\msil_system.data.resources_b77a5c561934e089_6.1.7600.16385_fr-fr_3e49fa1df2105ab5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ty-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16231a77350a8eae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_prnhp002.inf_31bf3856ad364e35_6.1.7600.16385_none_2f4e6f72537f8faa\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-displayswitch_31bf3856ad364e35_6.1.7600.16385_none_ec98071c85cf09eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..ptdebugui.resources_31bf3856ad364e35_8.0.7600.16385_es-es_0c45b38172c1b295\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7601.17514_none_3c1b247e5ff65f89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-parent.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1eb985f1aea1081f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	kod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.execmd.exekod.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kod.exe

Modifies registry class 10 IoCs

Processes:

kod.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP	kod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe,0"	kod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell	kod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Zh8yO5IGMxXepAi.exe"	kod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TDDXKVAOMIPZWWP"	kod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\ = "CRYPTED!"	kod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\DefaultIcon	kod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open\command	kod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TDDXKVAOMIPZWWP\shell\open	kod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	kod.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2336 wrote to memory of 1084	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1084	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1084	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1084	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1316	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	33
PID 2336 wrote to memory of 1316	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	33
PID 2336 wrote to memory of 1316	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	33
PID 2336 wrote to memory of 1316	2336	332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\kod.exe
  "C:\Users\Admin\AppData\Local\Temp\kod.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\332fc75edd44b84a3442e6f97076f55f_JaffaCakes118.exe" >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
670B

MD5
6bbb4d89dc1da9cbe4bc61701d73e7d6

SHA1
440ad1de39414d5574201b5fd03ed1dff496f2c6

SHA256
ce643805a86233be7ccf3b4340370a9f25a3697a1351ac8adb2042928f747615

SHA512
a30fd332113dea60b02be64f3cd7df9c0ea081ddc1dc526ddf153eeebfe8a79a8640baaa5848236bc09cd1f604619eb6753995fc1130b42df42d59d6fb14617b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
a2ba6089bf780e3a663c4b053fae4568

SHA1
59a5d39f43ed416ac54c80904ae254b939df150f

SHA256
da31066d0674dd120eae05c17f73197c9c650c4c2ad371a3339ccf928879f85c

SHA512
ca8b6913e4674abc593e10a655a8b5ba1cdc33fad80ac861fa9660d8979ade87d54f511a47fe70abf7fee8363be894b2e12b93a5a57d7f6c5ef2a512f2e8b043

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
f2307d35c0ef4ef47ceaafbdd80e46bb

SHA1
3ff22ac7040a6c9e9c3adc4e425c0c0b77747151

SHA256
161ed16620283ebfa9ddd9529bdc8799bdc499129b3eb8cdffd182e9efd86e6d

SHA512
89590b77e7522cecd08b325d0fcd6450e2d58476358e9f11db67c14aab3f54e12af24498e20d93d553eb8037b3a035cff699c9db04513d2ce66cdf205b46fc8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
b89ac519162957260c3f89338ba060cf

SHA1
b7e5dbbf12b616fb8f0ebb37b1795c90e7d67f5d

SHA256
1884dff2d55783c159a8698c563278db423b6a59368fcdc5d1c3c6a480a35994

SHA512
ad8249e35b63a8efcd5ec456ba294681a6a0badc60f224033d178bb385ca168f2142f14ac2de97d552c60e76ab3f119767c53519509c5ff095bc861e35c571ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
537a3db31fb6c68505d1d4ccd6ddff1b

SHA1
9b6e8dbd9c467e68eb27266f59eb4f8dcc49aa09

SHA256
7d9ec9b764e50cd9f39d1495e9ed0631d8071aeb94d6c3b639d3366c6be0dbeb

SHA512
f861e489cd61ed9f10f4bdc62350bfe430694ed555dcc2d522e3a3dfedb5eecca6ea08947f5a821d3f3623958e77c413202d46b9890a54cad37c7647674c400f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
1870e71755715c29a147359770b7fe60

SHA1
aa391d52d9ec43f3580aef43c101dffa2aa19f91

SHA256
eb606ec86d3c6817081b11664253e11ba48a660309eb86c788b991539514e2eb

SHA512
9506e3b51b10d933f64e9eee9a9aaaf6bcaf759dc4b709099bac42188f770c8e384334938250f03d6ac0c1ff3cc63310c03ea3af26ce3e4caf1e8eb9ecd30c1b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
b6758d54e93e1ba542411d6bbec65dd6

SHA1
609222ae5d378b010e6054c679138c7cd619e0d3

SHA256
d297c2e76f032d8a31c69dfd3d4a8a3e0b09deda2a90a84cc2b7f2372bf832a7

SHA512
b8f53d641cd24d0c34b9ef0ed7f8bd03dd319349c93ef9aa04c64a66c4a657c3aa30baf263a0ec29316e79b68ca6d6431e76cbc61766ccd406966aa7c4ab8f78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
4bbebfa2341dc1f0c4437381e400b2a4

SHA1
b730051398ee4e66ec0962798e6cd39741d58f92

SHA256
cb9bcc3ab5da2e234a3f929d0ce9323d98473aac5cd3a3ed0856deeda8b22b79

SHA512
3fbc369f5733462f1439ce8a9da6056de8f845a13445d6e0876c6ddd8c1f5dcc423668852beb58070530a0acb465ecbedfd63b827bd73470d1ea68f7bdfa85ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
e20c1c6d73c0e5758bc10c133f294de6

SHA1
9489fe9c7e554a0d47f55e8f7f88da31b7321601

SHA256
c12b3bd84e7333d163dd9029ace266e0a56dd6456c040f9b7061b45fbd1d3eac

SHA512
e1c828baa147c31a7c9c9b8fec7419626d4ec64b5747f0b8c5668d8fa0d43ef95e46f992b2c14a5c1f275d0181b57292c5a5fbaf2b9d19471c64fb716120e7f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
71129724aa7d53b8c045308dfdc190e1

SHA1
ea9ae9023a61cade23f1bb0586cfc2e017ef27c0

SHA256
c7f5ba610be8e450fc3d6a066a771f3337da72221dda13582ced5812fa43b484

SHA512
f3a44e7ece939152767376c0b25a7ab94845f402633a3c1e0120e55f088f1c680a6a97ba17c974245351c15a3d2b61a18a512dfa6932826b329902f02c64c0a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
10c5ee95fd0d01185cb86e9213820391

SHA1
2fc318ac50faa07a8d0d5a8974cdf9fd05b9b1e5

SHA256
a34a9b0493d8a24c27e1d9dc62493f6efd652c092276c93781099ce256646a46

SHA512
a077787d7afc98ca5953ec889b53ff8ae21c0f34c43920bed64c6b3745f79e1b2fc6421b0890648d7b9528f4cca65c645e3358f1b60c0a87314319fccdc08561

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
baff9447cfdfa3a90b4d96cda7128d90

SHA1
dfe9d87bb26e777008bef1389551621a9d8bb8e6

SHA256
a51a0efd534254bb81f2efaf41bd0af4006929f415185be1d38021749c41b9aa

SHA512
b9eef5028dec991ee115ef437a5a93cdc5501e1d932a781476d7dac9ec4a3f2974875a482e455d28cd5a698c92ffe0f390d09c3707f64a498201b4e0bf0ecdc4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
56db9cb48015f9c8f8b86bdb263d8a44

SHA1
d628dc3614f82f8bbd4d731d34773643ed7fc6eb

SHA256
9439056c3c19f8a18e4188027b6f7c50d4be8a32e9f44c104f7434611907d6b2

SHA512
47a9b92a138dc6bed73eacf236bb57f60043ac7920bdd47ac2112e9a6b985668a3e99646381f40cea0fd7b3a2e9a90019075c836ecc5762bd333b5e068a19d20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
3411182851190023acf69c3f2b8f997c

SHA1
53b6dca031c6875883664112efbe236b045295d3

SHA256
1c88eefce1250061b0ba2bcaa582c9dc5fb7354988fdbcf93ad19b8f3d945234

SHA512
e1b1927753445be9844045ba3764827c405c01ccc56c3470988fa519b16e635e4e841b8d653a961607822aed081e13c17bfba834ac92e3181d9ebec7d42b1784

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
0c74eb3a43853bed8b3b622d6a0b0cb6

SHA1
857ff31d0465621908a3c7ec696f2b0e9b247df6

SHA256
2f330a41b6e4cbad4ad594033a9b1c26144a0ac35df6779dda0f1e4a1f38100d

SHA512
a6414a3d42d3be02130ca7f257d4532a5bc72675515cc0249533a928b0f15de42741d49b46cde46d9893832c474333cc75db74b869b5f8e240eb026ad735054e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
060a37cec9ad4961a89a9f3729cbf799

SHA1
34fb586992507c4cbfcc295666dbd77bec444a67

SHA256
36e514ffcb0ba5cfe9e4bc8e73c25577a6024281b78f2bf0e00d9e979e5bbd4f

SHA512
bdcfd222a807377bc3644b9f59b0d0e4258ac8e02d538965e7d4cd9569dcd0857f94ba82b4dc7e600793f4c0884f138b951aa47c5aada25227c82e40bbe0b7a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
10be115440f9f88fdee3e2f13438f468

SHA1
993f8da59427bbe0bf8e017d482c37b8ad41760c

SHA256
c4460881550131dad73ff3dd9b507f2dfa7fa05acf796cb9a16a4f1541512752

SHA512
bd258c59f4a008abe332e300340c1313f5e6a57dc13dffae6d17b2fb9f938d11c72489c2d058a6b9a2f04f360f44f8242f39425ba62c30f291502bc8532f3193

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
8a329a0fa7f3d24336f4a6cbfdfdb8e5

SHA1
7697772d66eaf37913b8097f15a5d833206f9861

SHA256
15a7827dc6df2e6e101a4165b78e0e1a316d2fa58086520f113111b3c2731490

SHA512
3a9d1f3fdfd83aae9039d2d41e81dc4da246ba9dc079afd61d65bbe5f76b7a0846d26104e5f2fe720b29fafcff19fee9304112dd8c1544b2318f6e768ff8328a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
e7cfbf0cec0c820cb44e407e8f47dcd2

SHA1
3cf227ff74ff66b942d1a9d2496e62895995c452

SHA256
b4cfa1e302d19e38ae15630d0f2d8dd5c2da618f50191340315dd7b038759584

SHA512
e025fd9916ce772712137a88f53a08b31709cf5c518d735a3319b36727f02429747406b91c4e45d4f27f453a04a37b8696788082c88125aa5e6ee23646699eb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
221a9e2a63de8c0a10d38e1373719e35

SHA1
31777859faa8ea3b90f985b66e1093efe6cf9786

SHA256
bd6392f3bccc80ed0d158a6cc141b517c50eefdec00bb81f51de9759005f01a1

SHA512
886ccfb67e21e26f5909676e51407e4a2b8e6514413319d9c38af80b7a696d4b358a2b65c4d77d8b601709a9fb0b6455566d25f92ca66bfe2918a3237ec237ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
ca2109c285654a79bcc12a388a35abef

SHA1
a6145de4fae3619036c5ba38e647618a665d50ac

SHA256
a1f9f46a418e890c409b15d1d6b1479f6523486f8d08778fb8102f26f27a0653

SHA512
8c2aabc5b41ee759b36b33dc83ffe2aa7c4048bc07d8bccf57f6b7e764f77d31de32a3eb3e3ff9c1d4cd2f71c339ec11fbd5692b3ec9f9f089a81fc0e55aa426

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
ddf1832750425139787578266fc0015e

SHA1
f65b46c96d634402d7b194c98419691f16a90e83

SHA256
6ae49928888750ed34803acef16b8cdcff9e4b930b48a6afaf9fcd5474f24d2a

SHA512
60291baaf9b3f36c47f8707f60aa97407412a5979055b734d92896e1e635bf6918af47015f1d3843bae2122be180da88c320e4dc06f756287b4fa4a9b8eedec5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
31ab75c4ae48d67c7c9ee585bc9304bd

SHA1
c0fa9b115fbd50e9f766accb7e970779db9eeec8

SHA256
abe5780e0b0cecf7bd702c1f3ac3fd96a7af361c6d1ac1c90a605835a7acd4fa

SHA512
becb139ccbdbcbd7b9e6c917cbf03f73d8f1fbe750a1682031eb2b0176617a8786254557f57de01611d2548de33f770ebbc691bc5e770798491459b792c5f284

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif.EnCiPhErEd

Filesize
323B

MD5
a383fadc18515b50e06ece4b372b6766

SHA1
d7a9578681ff0b02b625b5ee70b3ae353e935a59

SHA256
37f55b234b45e26515370a13be6a5fcbff090cc45bafeb23041836be1930a1c9

SHA512
02efbf308cb3c6d4232ba8916e2504f88241eca9e412c4f5c85d2a1ccc50cf79c0e68ba3156d0a8db3acae991041ce5279d2ca0a6830f37fceaac3c1ab8ce8fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.EnCiPhErEd

Filesize
367B

MD5
8c34665a6da4936b9bf38482b77989a8

SHA1
e34af6e9ba1e7b354d1d7819d72e0b6ee5b65dc1

SHA256
f5e92e15fe9912ede8a7dae4855615301a6b698db97e108c202c6dd60a22d7f6

SHA512
325027b28bc42a908b4316dcd03f1d038871abff5a7132261dffc76f3b2b18ddd40969403da8062c8632bd996d1b24b2cac2e92da1fc0358605629587c2daa49

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
89974a981243b3b02adc7bad83434be5

SHA1
6fe88f498e3f9e56a7e5af529680cc39a934dfac

SHA256
d41dc7da63f38d51879f7a5999f456995a11e4a9dc934e59e97c68b425ed6c24

SHA512
b465a00fca3c6e79e8e0a676c0ad8f2d87b513b89ca3d676829fe891e39d28a335f7be840a0e15cef4a9a40818ab4d307ca26c8f3750def272dec6b841aa19b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
671103eb271d0f7de1e60ebee4bf942d

SHA1
2ce397e91f12630dbed7da98ce76e3d90181128f

SHA256
adb25ab21aa334d25288ac84469f784f9a1f19fa7461b3b4fb41600216955c73

SHA512
5e78d460954a80b796ad110634a0021525d9b70295f0d4d0ae98e1439d842e43a51a7ddb03e9afa65655c8246c42ab5ea6a3f6e26866b0ab6e6c12cc3d4ee082

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
6ccd89973360c8f00096b65f9a58bf15

SHA1
c303fe3d5e868df6eae9af88810447b8e664a3a1

SHA256
3c425658be19ffec2b6b6ba572edbedb9bf971c90119c12f913e7cf44ec68f75

SHA512
abd0ec340256166951f27eb4ac359b70aabf943e5ee9ab71f167913174457faaa4624958e1d1d57256f707e6f02ac62b3e384db45ab687eba87374be210e4f68

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
b271448cbbb45c158b25e38069ac815c

SHA1
12ff5e295f8adb5dfb3517b55c3d2c889799727a

SHA256
c2999d92a68906008618f361f69d007c86610bfaa13537650c4064c92b583f5a

SHA512
60414de7de29f3f4721cab5b78fba767b360e97b60e9df645f8a6a3cbb2185be538284cf151113a8198fd97484b0ae5d502ea9965e27175d8443e1da3eda49c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
ce1f842877ccc94c00761464bd38dd6e

SHA1
445adcf7aa62e851528a7dea4d2df198c5e8ebeb

SHA256
0fa5ddaa2f427910f9930bcc43a3ae35b0c2f900357b02cd255604668844f7b3

SHA512
d5b5a020fc08793866721e378ef3efd26239c4e475f0846e0da18ded79c522efe8eaf8df70d6b0cb0b825c0897a225008f8b6b49aea7657f9fdf372d3cd326f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
458db2c19f2dd251afcc5476182cc2d1

SHA1
5a06c0aee57b7667698bc14a00a0a194c2362bbb

SHA256
5f15eedb3a9f0bbf34e3d7c7b1880b01c4f31929dfde031552063fbf82a18870

SHA512
cc2b272ee11767f944ef6fea4cc3a4c666ddd1b615aced35b49b2fc3e6d058e0db9bcd3e8f40dc1078e718e4fc4186ca013c80e48bde5bf9879428bca7cbe5d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
2951ba5b64af28fc6e9f3d107d40435a

SHA1
be2c3d36e10d2323b6aca321db279f0b46b83ced

SHA256
38d01318f1d5d942ce63c9962f69dc366cc5a0aef76ae74b93b6b3225893a1de

SHA512
8e4abdde392a68b63a5495ab4311a86921c5aea85c28aaf71f387be58554a2b1be6049b4971a618e92c1accad94a7ed99c7be0aacd1c98d8ad859024711a509d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
89f982dfc94f592798d3bfad1f933afa

SHA1
85ddb054d6c61ac3231356d8fdd7f1748ec4ba4a

SHA256
37bb3246f158144213ab7bb44a0bf11a695ee6cdae245a5db43952b8310661a5

SHA512
0b2b3f8d27c1380515fc9da51257c2956fd8a4a0cf6e8d6e7ddc9c2133d9670680390c45ef331a51ed2f544a8968d3af21406f082222148fd33596ec2629e4b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
4002be8dbe3b64f27c833fb036eb9adb

SHA1
b21f1a4ca74f843a408207fd2a79d5c365c2d09b

SHA256
78fbdeeba16b1e29e2919ac6e953ffb8717f35b5924fc471ed2ab59e2c9876a4

SHA512
4046b77ccc9f659fa009eeba6affd3e449bad5bdd88d76ab170bcbb5bdeae4b671fd67636a2b21507f4724a4c2f725d3d65ed72d408496152ff357a6b97f74ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF.EnCiPhErEd

Filesize
428B

MD5
4bb3eaa032536e1fc269e83e94d33954

SHA1
c146d62ff4c2ee997e60ca00637395ed2a45850d

SHA256
758f65ceb96f2c66920b18dd7d0c5d61db5c64dac72df455ee0ed89216cfc495

SHA512
e22025888dc343d52da015c7056ac2b0e6b4e40d459c3fe99de45c89dfa7ee0c1551deea2f25ffbc8db537cbef563b4a7a0eb708246f32c62233f56afc96237e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
8ca4d7e3cbcd9d87dcc7f10cc2af3d19

SHA1
b49415d6fd770b995f4f0c730168139ef41ce364

SHA256
8f9779aa19c3aa0a0800e1406c3421f2b795793ea234c2d07eb6f31d08206bf5

SHA512
9d74a84c7a9ce452b277382af6bfd8ba8e0c23a17b59aa24f9c5695529ae75c7ed3c9dd085f676b3c29d10b8d79950953712a088a2d9921b1f2cb3a5e6f9cff3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
2302169a086cc8a48a2ec06f5ff7635d

SHA1
9f5c63eb79c77a2059b69caf3388f2fb41e62bb5

SHA256
8aafdfae2ff521079e0167f0080748c500be9c7264b32fe50f648872e0d81e08

SHA512
83d3709408627852c0b055c0994cdfc3b3c22bffb3f022ff070b119b83bf7bd980b4592d39af9cb0db95d055d44b444438edf2c3a77e7453dc2088d309e311ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
98e3771c2afc2839e09862f3d070d5c7

SHA1
10c25fdbd482fdab85b19683e854a1a1171f2e49

SHA256
2eb06b55aaacef7ad5017657f94a15f574235d508995e6ccae9bb44889a54621

SHA512
ecc3c4a62cdae1c552bf53ed041699a6e030396944993d8fdae31408813eccf704a73b12c38dc30d16ec63b11bc242e83d328180a5ef463c63f1f5a892081263

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
ccf793eb9f83d0f77b4095749439f239

SHA1
8a2d9cd25cd204cc787d737273045bb10da63f60

SHA256
cdae9f5b49b4f53541e8af43c544a86c252e5fca10046034a4b756f6ce7cfd78

SHA512
8ccb1a91a0046248561c4ce01ed8a90b0994d5d69d862cb8483a63f5e970a4eda671f557f206e2cc2bf93224e4817091726481ed8acaaeaf06589bc714556d8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
885be553a926e162244d130fb020dbea

SHA1
f15c43f774c0ecd354fbf5c097adaa8a0a0dc51f

SHA256
f8003797861815f9a7dc675e40b25e85987a1a54989558a2f8d50276ae8bfa55

SHA512
df7557b8b182da11a79dab492e4df245ade8c3e1b0d13b8c1dbf5bf9db84035fa09c91284b590f782b366b7867f5d4fc6f86b6288c6978427143af18975ccb1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
99c08c8841d08529cf81c7482bccb43c

SHA1
7e52cac23230aca579eb197a869c2ea77363418f

SHA256
59d9619101cd57c840b590fd8e6f8229a60da607a2999850d99dfd6380ddede8

SHA512
87101f8d33f547a30a124266be41376b208fbc9b309f6e182510f5e0f5c8d0e186df883b29fbf1851244c27b345bdd2266d9897664b56e4bbb6c8410ed58a67c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
0a62ee1664ad3ca9cbd40ea42255559f

SHA1
5c212bfb415f22eca421c534ec69c9f8725b278b

SHA256
c0420f7d3ceb4483571f3dfd69a0ba6be2fd11089201a827f60497b9cce1002f

SHA512
55768c049ce2dc8a76b2e9821b2adb7588eed9130f402f3afda69522c98105dca4e295d393bd65cec3a9175511da08f37e2286930eb585613400b7de4b3c2689

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
614f1a8c7b390fc4540a01bc93eb70bf

SHA1
58118e88f2be3909a5d5e290a6e243c86ced0bf7

SHA256
a563917fbeca51ef531ad89f343002f5e7933c875932539942a7cd4728ab9ddf

SHA512
906ee202d701949ab037f7eb203cadba6dfde5af02a29579ec75617e012c69cc97bb803d6ce3ab0a42a89fbb278a419efc72b61d804ae57bae42f7a2ca59c145

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
66975ba3d0ed822533806e96b6746b3d

SHA1
e2093114df917325063315ee219c35cbac12207b

SHA256
0fd866d6d67fac7106302b12bbfa79141099072895719aee0c0b230302417038

SHA512
367680a0c5298c7c0daa29f4d9996d5b66e7e3c5d05e81d1ff4516127fef28bc3917ab8b81e9c3bd06bb7023c1bb74a7b4149077d204134d0ab3a6212acaaaeb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
8d5fa302a405aba1f5202ff58514ac3b

SHA1
6d1c813480abfd3d3b2c7f7509f323e25cf7e75d

SHA256
c0036609c1fac2471d038fe9ad594bad906fd41d6608a08e35c0113dd464949c

SHA512
2b443eeef05fe584c7abe6b07e211e4552f1708eecc6402042fa8ef8ca2c65623f3930fad7f98c750672dfcafe33a39f7d4d000392678cc36bb8bb85c3535938

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
2b8180434737f1bc41ea360ccb3ad6d1

SHA1
13e5e197d046978a336e103e531c9cc0ef77fbd8

SHA256
6b4d97801a715e0a984456564d1f633b0cfe56b157f278003c9030365a485ac2

SHA512
791272c25bbc7b4c4af33e27f83114ae9275c974b84097765fa4ada27520730a0f0bf3412541edc3d8f262f05fd94cd7908f9a9a67840d3da7730a39e228f38a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
24c3151bf10cd4be2129bcdd599ce333

SHA1
e9d702d8135485a8d4c7316de9f335972387e7aa

SHA256
7eaafda3a8b4b54d084164fd732feaf60f3db3f27ae6b52c4efc70bb776bbf5c

SHA512
529a77b655021933e54ff1028b1115f814bd3a167b5c3ac7de5b8cabe3efc9e370241d3ba27e099e3aaada252672a69eef093294b54b0dc886780de876e2301d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
17373bb4e448eaf556bdd8284dbe75c9

SHA1
0977d96b907f44485c65ea424be37815d3b2e3e6

SHA256
ca0fe2d6dbe7b3e67f27f47e8a7649375844e095a1826119542371227c831b44

SHA512
7afdbb7f365e1e2169c5afe46af16d4f3d2221c9adf4e49e87b3775645cc72617bea42d1c6a71c3dec23252d9000894e59e2923fadf4e47ba9e1315708a3d5af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
9b725c799ec505f2f9cd363e0f462769

SHA1
8f41fc05b23dc8c6fb34ead424c533450a406dfc

SHA256
061043b12a00c2b50cfedbd6b66f126785c3494e307a6121a3d73db49929d62a

SHA512
1c0f8afb7fb65b9782a5c4e87774043d2424afa5ea78b6767212bf2c8b868a3e83cf7c4a801230f5f56232eeb97790a7d363da6d34304d2198fd652f11b1b1dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
ef1d0ceda8c381a3be8d53563a0670f3

SHA1
346b1b5b624d1303d09c5a509545dbc96498fa27

SHA256
1cb7e74e827d7d918e7d4a5fbeffb95df4a5bf77642c78b9922f38a6804fd1f5

SHA512
2c6bdec0a6c16bae358c87569d76e9beb5aa4929bfc7a4c5862bb05c30a9697e52335c0409b77729df9d9c4c51bce50be62c97cb07f581220e973fa8bce79aab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
af10005dbe5f3c62e5eb602a11924523

SHA1
2d4a89eb859b39763b258b2dc859318dc3c0f4d5

SHA256
1c5c36952e15f1153be7ccb814bee7dfd33bc6fea88b576bb7c3ce867acee3e2

SHA512
25d92ef2dcdbee4d4d0fb643992097e2f696da8577898a1f929c6c2505c6642171347a7cb4a429bf37f902e3b6158ee112aa010ab190144721e61b3757cf0227

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
a2d998c9be85a42f98ae95cb92337e34

SHA1
1ab9f6bb683549c8bd808574b5c83b8cc7a8c8ec

SHA256
960f28bfcbc4e9e7bb8b480359d09572550aa6de59b8e5c085c16aaa0d1cfa54

SHA512
634fd7dc7a2ca3f305f756a6d0cd0a8d68852b2813fb854285814ecff298482ea7c6a55e114f2321841e587792b387e044570a6f95d08982a5ecff5e40abe4e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
be891564c73c299963126f1297bf87e3

SHA1
3ba4444ce139d831f29e46c06c1f91a0596778b8

SHA256
b88b994da8bdbf7dae90d351a5dd7dee53c7355870ba1e0d4cb7debbb79bc02f

SHA512
883a32bdbbaced1b3d835b3cfa58518e8fee780feecc63b6b00b23f24d87d79a96bcbb4027b44766ab1c4fa3be3f6d90fee36eafae907a3b4f7796d0bee30f8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
699be4bf0cf6068347ecc5e4a69b2bdf

SHA1
892a51656c619025315bca95d72454c0fa02342a

SHA256
6c2295ecdba8115a92c777954c1d13e0cc17cafe68af0762064eb9f1c397fffd

SHA512
d759f42e23814b6941e53992be5489fe030fa84490f0a7b2e7682d452c712390f0654ca29a8e79740d03632a40cd2a87312d09ea865272c1fc2f9bd943a653e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
f2e0a405ed76f0b1a60df71bc5b68929

SHA1
afa0a53263ffc89a813fca8f34cbd0fe1d7136c4

SHA256
6e6f0ceb85922d7faee8fb639a5e6c30a65f2c185f585afc7f051c7cefc6ecb4

SHA512
c3130baa528afb26f33574b46aae2539901694dd0a01550195abe64497f862493dd90f5daedd77bec61b736322e96c1da29e12229ed2111ce25f2981f481c5a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
ef3fc557504495a0a25dce72a8ccfb83

SHA1
cdffb573cb300b30aae366c7198387e36e5b0659

SHA256
985329ad650c506a1b27e55cae8e224f82ae314b8419515014d964d78ea5af32

SHA512
004436d5f696a529c57b9a42bda3b5f2fc3f6f94e4f7bd30f8aaccf3a3766aa134eceb6e2a62fc7a5755a4b0ff98410351d848866a784b9bb0d68e1c5eadd6fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
316d8dd90b7ab0f2950d6ceb392e376f

SHA1
865b991ffee59f3ef11d95a539819a5e4544e387

SHA256
95bb2f719af9304fc09b26b12466c5e73802dca49d54939660e79c919da930be

SHA512
4684d06326aa4d0493d8164a71ff15d27a7f8558d0d1808bed8a016eddf93ea5c45562b8a2068ff25019811090ad582d6f5e759c11bdb839742ef66eb33f7cef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
4bada3ee22d5a1b0becc1c519b1d3cd0

SHA1
56d66a20add9952967f801b84975a70bf3a1dd0c

SHA256
ec0539a39fd805b1be18611fdd51d9cdd3e14aee86913a93fb4aa25b04f0da48

SHA512
59c3b3537b228f4147d002c3a91d88f00ad6e7ccd9b41e4e5e33dbf39fc540ff259708f55387d1f01e8cc60aca8dcda42108856ff037487ab05d6c403fc1e834

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
12d094d717e57b9ee0f16bb73ace63c4

SHA1
57d5dc04a605b3a7e880de81aacc210568353ba7

SHA256
8dac2295be785d584a47e89f79f46ec346f7f74e5001b15b24ba7aea0349e8b1

SHA512
09ffcc20ee10ef1558bbe5cab7c8e51aa8b9588de2a719393b92309001100147a1b52d4d7d2ade0094deb67b84294f8eb568894275a116ddd3eb164e68ba9a40

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8335731730bea2fda9032b7f1a1252bb

SHA1
6ff4e29b2083b3df1ca451985e1ef899d64275b2

SHA256
66ba2a9c6fb98a210196daa8d251eea18aaad9c1d5621163926e3d4710e2c0a9

SHA512
293f36f36b11279821c23b9422f7fbf6ddf69151ebdaf3aa051c0e9a16caf58e775fd9af61be944d5e05f9475b27a4fab12e42c4e3d328babfcc7bcb4a538772

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
d80fc07e909b90ce513ddb76353ff8c2

SHA1
35e6672056b4b3b956c218b411840d10d5597694

SHA256
1641155d56dbb8b7ea86839aa10eedde879091e55b68ff81da2c3d52b6a4dc91

SHA512
310a26fe55aba473b900c4f60f4fb59c20fec8439e81e6c445ed145ea8cb7a4a3059a1e605385da95b3fcd8ef5c9f7ff07faa9c2637915405e428fe63889edcb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
285902fd7a1132e2d1813c6814794dde

SHA1
e8c154208a61829b9d5bec6bd76d0b1a1c587575

SHA256
da02d275e551c14e93ab4b71e1c1862a629fc2fc7ffc61936e2a038b5d8958e9

SHA512
07104899ce2ce53e4003a36a9d36f012a23b6b3b699667bd56b359d47cbac60f0b6d4f000776631ac84c834c3700c7828bfb0db6a74c6a9151e7ec506e2b730d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
c2fedd24d6c0b480b13b5f0f34eb3605

SHA1
f7ebcbe6bed702573376528e8e23e030c48f4f61

SHA256
8d574db89163bc1234a52ea0ca9cdf414a8b7ca5b6c70e463cd4d867bf0ac249

SHA512
066977975307233a010bc4817eb415d8013cb3600af798067fc25f455f4b246c551a0fd9359d3a73d1c95e38bbdd06b923ddea1971754bb34b7f888ec5e0aa4d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
69177b9419369b9b819d60e988cc72c6

SHA1
15eb37f07bd51f788fe2ce539be5e482fa2f0ece

SHA256
5069ac209684982dd28b93720d2dbd727861669aaeed0ee145afadb8baa784f4

SHA512
fd2229a8b6c2399df4284200ed47b5269d1929e23acaacf8dec4594b1b74b102da97242f9308f693999bac50cc51fc52944b0999e99bd417e554ceb9daf39b7e

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
4a057dc3261d3690e9ff90c7d714c607

SHA1
98c284282f78387d10bcc89b27ae264953c06ee9

SHA256
fa858390edd88f93fb172efa39c033c96e2fe3a444ea7a71703ff0154a438d06

SHA512
aa00cfbe0f8ca76265e9b85b7fe98cfa6e37bedfaf0453f0049a36a7336dca315b58942e89b26071bbf568297bc1b9e8ae295aa9c55d01b383c2c7532482badc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
1d550eef416d4e2ccc0c62d77195eccb

SHA1
a3e579ea7af45c8c9fe0dc3809133f38d1692aea

SHA256
3963c9551108e254ce24f279841252b646ab303b9c72a1fe346025542d2316a4

SHA512
de02e2b58719f71032cf36f1fe319adbf23e56e6a5bff66eed6cceae517a06658812d8dee102dd139df4f51d540d5a314e22ac7e2a13c82422b3b52f87bab2ae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
b47519529e24511ead82f4aceb27f649

SHA1
6433c14f4243f25e765ca57a316e7ee6c7f506af

SHA256
27d6a7a39fdb3a11940de3b3a16cac0cfc86788889f0d5393812ed7a1b41ad65

SHA512
1d84e093518b4de27109b3cf874130e386968253edcf5824329dfdd43ba814972e8dc3fc7c25ab75d4f69fce5a22b2d253fcaeb4909246781fa3c3549f4418eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
ae0e012745efc4cbfa0206cb22b68746

SHA1
1c94558899976959f43512bf3ab84fe110e0bbf9

SHA256
42221bc39107181cbd858cd2b8754a93b52c925a6bf2bdf220b9261d628ecb7b

SHA512
409fb6afcc023d5a163ef0045ddb496cee59c84c8877b97727b27f3f896d91cdb5bc621f9ca68a4337c84ceff136f5b5e64ebc46b97aac999fa296351f34ac26

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
3e3c7c94974d18a9c224a8c1dbcd88bb

SHA1
f33a6aa5f59f6e38c6a80fcf107364f2eb53a133

SHA256
e867f90e50837943993fc09be6a630bafb1a5bf95327886934ce98e3156f02c5

SHA512
7413d38ceb0060d997d5994a1e63835213d7d682ed8ac383199554aa3ac4f8751723c59f4203b9a3556060edda92c8c492991cecdb336e33d4d82477ffdcdbe5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
9b1cad74a64c630a6592c798c380eaf7

SHA1
6f2a9b73e83b12fe891013343ac4b757eab7b6f2

SHA256
03ebb076adcdb0c062743045d9ff83414dc68e78c0fca3eb7b5235e8d8653051

SHA512
53e05eeab3df374def129cdc97b6249ac37a6115323a8b53e6fed6a1dd89e46b7b24198f6da73b72029279c53a12811000bec020fc32bf55a166953fa2f876bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
0204342a86d21c37bf24653cfe330980

SHA1
923fc65d09d5d63ec5be906390fd1a1088f97720

SHA256
3cc4e1c687396f716ae961c8ad64595548a76aac1617b9fa1ad576924a53d844

SHA512
79e9c77621b5cf7759d67b6866a712fd0e16f870a73956e507e233e5d528fd93d88bd948d6081d1d53867e00ff0a0880c87b344101ecc2f48b3ef7ec948e9da5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
49699ecffad26438a52e687f5f0a4189

SHA1
79dc42d0982ef042656c618378a2e8676dc88962

SHA256
bdd0c6b5093730c4df29f2bbf5f9b007e97b4dfd7f221ad8347cd27477bdff0f

SHA512
bb9d4b4d544c68d6bbd5529119025d3be89816c1b45f7afcbaf16b89c55e0d368d5f51b2c2d89463f7c4fd113be3fe456d6016f4ab4fd9c39850b0814a19d0dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
b751717165da6e2f687622dbe20e5791

SHA1
c641b642cbeccd287a04522d3290ee8d6d2f6969

SHA256
61c27a9d473cabc210445b6919ec0dfb931b256390e930c963ff5ae980745ee4

SHA512
6c1a4267bd58c27ae3fa2c0493dd23a9654c73d3b351cd61f72a12b04330e31e9f5103573241727d975275774c799f3ec652f3b3fa844e6f66edccf3146476df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
18f58805f3e99546c67a9e3e76871d69

SHA1
abb5cad137f91cd887c4859146683d8e24cf9394

SHA256
0ec51e097c5facfa0cde6cb97f2bc26fe67d389d8c0262762dfe2aa813200933

SHA512
ca58022db48c993b7e6ce7ca58c0a512242abd65a1d8f4720050fa2f2f54444674373f1cf153a9b5d0cc3e88e17909fb4f0eed6ef6cd27401703cbb6c58073de

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
fd0e5ce8fa77f25d1ec08d459c452cb5

SHA1
3ecd2051e7909522863b666c74188e8b5e8defaa

SHA256
63f290481de7a92626a314a18e6de78fd3e25a64add26a372fd89c5331318970

SHA512
5f3893b6e9346e109c879633f5645c5a372081369d54c49f97429fe4fed3a7a0dbb1a073a7187b7369a1d1add7b9a926eac3b11c4494258d442f1126e8e1c9a9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
3501830cd803c99515c67fe23ef843f7

SHA1
7fcd940b57a1fe309971011fd217e06a7562e5d6

SHA256
0a498433e21e3e445395fd62e63c2fe8ce53e6acc581687ca7996ef43008ed4f

SHA512
ee3def38ca3e2573c816be0eb456ed018007593dacf7e288ae42a9063ea0ec520de289cd7544d3d5f5237e308c76e8d7112ae0dcbf3917df641d6e5cfc5e0699

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
db0248a00994754df9072639d7ff92e6

SHA1
dfa8cf4b694ebb7fd6b8c2e39d26377346d65a53

SHA256
4c213287cee23e70122282a42c399c626e6147983df77d8fbd9eb2d2f63784c5

SHA512
d2dbfb08958b1223100795a4a1721b721507fb0c7415ba21e52d5e097138a5c4a4bb58c6876c9ccf45c62abf2f55eaec5197f3df0eb1ff3128f13dbd0d428480

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
bb2fb37e20c5170c769c90b81c58d35c

SHA1
eec56868920024d27ecb4d47ba0a86d4b7c95750

SHA256
429a85bbd9bfbb5032e01a0ec0d7a1376231025e7f60c64651700af778a119e5

SHA512
9e5c50547b3109e03bf6bc6dcbc64025f2451c16c239787f71fa7601f1e3cc17c8fbd8b58f8eb4878226407b10973804317b9eb194e294f174cd4683f282a2a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
ab9447db67233f45749e3159d6643d25

SHA1
7a7233a58c5faa44c37c8ebaa21a92443a583dcf

SHA256
8b5c0e32f99a361acfe5b1782f547259da31192c1734c0f81915f7912fdc452d

SHA512
2bb480e325ff56c08e32fcfd9bbfa32583ca46ec726dd0cbe5359901df0406e581e5d0b119b71dc3882a3308b84ec19715531854ffe777b6c7a3e0473f56f4c8

Download Submit
\Users\Admin\AppData\Local\Temp\kod.exe

Filesize
7KB

MD5
dbe9a0e8a0f3581128d9cc4002fcd8f1

SHA1
ff196b5453f485ae4b35e6c46ab1aa38c627fc20

SHA256
f66404a3041ed40e2906ef1228bf5b7532b8ac44e8f8644780e0d310abf9a07e

SHA512
384ebd9bbc2491e01c63ab129ca0e4f27f8f5332e669e2efb4eb32bd838ad71f4b8a0f9beb042fdd66010a9703e2628728fe84e9a2b5f4a77074ae69854d9975

Download Submit
memory/1084-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1084-8793-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1084-8796-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1084-9064-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1084-9065-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1084-9066-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2336-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2336-4-0x0000000002580000-0x000000000258C000-memory.dmp

Filesize
48KB

Download
memory/2336-5778-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download